fix(#123): address all review findings from PR #129

MAJOR fixes:
- gitea/ipcheck.go: replace startup panic with init()+error list pattern
  Hard-coded CIDRs that fail to parse now recorded in blockedCIDRParseErrors
  instead of panicking. TestBlockedCIDRsValid catches programming errors
  in CI without violating CONVENTIONS.md 'never panic' rule.
- .gitea/actions/review/action.yml: re-validate SERVER_URL at start of
  'Install review-bot' step to close DNS rebinding window between
  'Determine version' and install-step curl calls.

MINOR fixes:
- gitea/client.go: add Timeout: 10*time.Second to net.Dialer per PLAN.md spec
- cmd/review-bot/validateurl.go: switch isValidateError to errors.As so
  wrapped *validateError values are also detected
- gitea/ipcheck_test.go: clarify 198.51.100.1 (RFC5737 TEST-NET-2) comment;
  add TestBlockedCIDRsValid to surface CIDR parse errors as test failures

NIT fixes:
- .gitea/actions/review/action.yml: refactor Python list comprehension in
  SSRF check to for-loop (avoids side-effect-only comprehension, runner compat)
- gitea/export_test.go: expand comment explaining white-box test pattern
  (why package gitea not gitea_test, Go stdlib precedent)

Remove PLAN.md (implementation complete)

gitea/client.go

@@ -136,7 +136,10 @@ func safeDialContext(ctx context.Context, network, addr string) (net.Conn, error
 		}
 	}
 	// Dial the first resolved IP directly to avoid a second lookup.
-	d := &net.Dialer{}
+	// Timeout: 10s per the design (PLAN.md); the outer http.Client has a 30s
+	// total timeout, but the dial itself needs an independent bound so a slow
+	// TCP connect does not consume the full 30s without cancellation.
+	d := &net.Dialer{Timeout: 10 * time.Second}
 	return d.DialContext(ctx, network, net.JoinHostPort(addrs[0].IP.String(), port))
 }